If you look online for advice on keeping safe online, two pieces of advice that are usually at or near the top of the list are “use a strong password” and “use a password manager”. Great advice, but useless if you don’t know why. What’s a “strong password”? One that bench presses it’s own weight? A password manager? What does that even mean?
I’ll try to unpack those and explain why “strong password” and “password manager” are actually good advice, and at the top of the list. The root of the problem is that passwords are actually pretty terrible for what they are used for.
It will be easier to talk about the problem if I introduce a little bit of jargon. Yeah, I know, only three paragraphs in and I’m already introducing jargon. The combination of a user name (very often your email address) and a password are often called credentials. There are lots of other types of credentials that you use every day — your drivers licence, your passport, the combination of your debit card and a PIN, your car keys. All these credentials prove to someone or something that you are who you claim to be.
In the security world, proving to someone or something that you are really you is called authentication. You use credentials to ask to be authenticated, and the person or thing you are asking will either believe you are you, or not. Of course some credentials are better than others — your car keys don’t prove much at all, and even passports can be faked (but not easily!).
As an aside, this idea of using credentials to prove who you are is a very, very old one, and it’s one that people have been trying to perfect forever. It was only really during the 20th century that mathematicians figured out why it was a really hard problem. It turns out that, mathematically, it’s pretty well impossible to create a perfect way of proving your identity.
The idea behind using a user name (or email) and password to login to a computer system is: while the user name might be well known, the password should be something that you keep secret. Sounds reasonable. Except computers are dumb. Really dumb. The only way that a computer can check that your user name and password belong to you is to consult a list that it keeps to see if the user name exists, and the password is correct. So even if you keep your password super secret, the computer also has to know the secret. That’s… a problem.
Another aside — if user names and passwords are such a problem, why does every website on the planet use them? Two reasons: programmers are used to adding username/password credentials to systems out of habit; and doing anything else takes more work. Three reasons: the whole planet is used to usernames and passwords, and asking people to change to any of the better options risks annoying customers who take their business somewhere else.
Ok. Back to the problem. In order for the computer to check if your username and password are correct, it needs to check against a list when you send them over. You would think that companies and websites would take extra special pains to ensure that they keep those lists secret. Yeah, you’d think that. Unfortunately it turns out that quite a lot of companies have been very very bad at keeping the password lists secret. Small companies, big companies, huge companies. Hotel chains, financial enterprises, pizza shops, dating sites — you name it, they’ve probably let the bad guys get copies of their password lists.
A lot of these stolen password lists are out in the open for sale to and between bad guys, and a security researcher from Microsoft (Troy Hunt) has built a website that illustrates the problem, called “Have I been Pwned” (https://haveibeenpwned.com). This is rather a scary site — if you put in your username, especially your email address, you will almost certainly discover that your password is contained in one or more of the stolen lists that the bad guys had. Go try it.
Scary, wasn’t it.
Does that mean the bad guys know your password? In honesty, the answer is “probably”. Maybe yes, maybe no. I’ll unpack that, which will lead us toward what this “strong password” stuff is about.
In the early days of using usernames and passwords, the information in the lists was human readable — what security folk call “plain text”:
Mostly this is never done now, and whenever the security community does find a company that keeps passwords in plain text, the public critiscism is robust, to say the least.
To make the password lists a bit safer, the password (or the whole credential) can be encrypted. You hear about encryption quite a bit in the media, and you may have got the sense that it’s something a bit illicit that is used only by bad guys to protect illegal information. Encryption just means some technique that is used to scramble the plain text to make it harder to read.
A (very bad) example of encryption is what is called a Caesar Cipher (because it was used by the Romans). This is where every letter in the alphabet is substituted by another letter, usually by shifting the alphabet over a little bit:
so our password gets changed to something less readable:
fluffyBunny -> bhqbbXqjju
This is a terrible method, by the way, and was easily deciphered thousands of years ago. But the idea of encryption is the same — take some plain text, and apply a technique to garble it up.
So, the bad guys have got some password lists, and your password is on one or more of those lists, but it’s encrypted. Can they decrypt the password? Yes, they probably can. These days encryption is all about mathematics, and computers are very good at doing mathematics very quickly, which means that it’s pretty easy for the bad guys to build (or buy) a program that will decrypt your password. That’s bad.
There’s a bright upside to the problem: it turns out the longer your password is, the longer it takes for the bad guys to be able to decrypt it. Right now, today, a password that is 8 or 9 characters long can probably be decrypted (or “Cracked”) on a laptop in a matter of minutes. Going up to 12 or 14 characters will push that out to days or months, on a very powerful computer. Going up to 20+ characters means that it could take years or decades for even a powerful computer to “Crack” it.
So the number one recommendation to keep your password safe is: make it long.
A lot of places on line — and probably your workplace is one — insist that you must use “special characters”, and will make rules that you have to use a mix of numbers and letters and punctation marks and upper and lower case. This is a pain, and we need to grit our teeth and put up with it, but the truth is that doing this does not make the password stronger. The one and only thing that makes one password stronger than another is it’s length.
It’s true! you can trust me! I know computers! A password like:
horse staple battery
is about 10,000 times stronger when it’s encrypted than
Another thing that researchers like Troy Hunt have been able to do with the huge amount of stolen password lists is to count the most common passwords: you can see a summary at https://en.wikipedia.org/wiki/List_of_the_most_common_passwords — because these are so incredibly common, the bad guys have automated tools for cracking passwords, or attempting to login as you, that just assume you are using one of these passwords, or some variation of them. If you spot your passwords in that list… I suggest you go and change them right now.
There’s a pretty good chance that the website or service you are using won’t let you use something you can remember like “horse staple battery” (the brilliant XKCD comic is the source of that: https://xkcd.com/936/), which is where password managers come in. I’ll talk about that below, but first:
Never, ever, ever use the same password in different places.
The problem is that multiple password lists are floating around in the hands of the bad guys. You might have a strong password, but someone else on the list might have a lousy password that is easily cracked, like “password1234”. That gives the bad guys a clue on the method that was used to encrypt the passwords. So lets say that your password has been cracked, and you used it to login to order pizzas, and you used it to login to your email. The first thing the bad guys will do when they have your email address and a password is to use it to try to login to your email, your Facebook, your Instagram, your LinkedIn, your Twitter, your bank — if you have the same password used in different places, you are now in big trouble.
- Use a long password.
- Never, ever, ever use the same password in different places.
But there’s so many passwords! everywhere I go on the internet wants us to use a password! We can’t remember them all! This is where password managers come in. A password manager is just a program that runs on your laptop (or phone, or both) that holds a list of all your user name / password pairs. There are free ones, and paid ones, and some that allow access to the password list on both your phone and laptop. The main thing about the ones that I mention below is that they have all been exhaustively tested and examined by security professionals, and are currently considered to be about as secure as it’s possible to be.
The best password managers have several characteristics in common:
- they store your password list on your own device, encrypted;
- they have a single “master” password that unlocks them so that the passwords can be looked up when you need them;
- they can automatically generate strong random passwords for you;
- they can store other information you might want to keep secret, like passport or banking details.
My personal favourite (partly because it fits my needs, and partly because I have used it for many years) is 1Password — this is a commercial product that runs on a subscription basis (for personal and family use it’s pretty cheap). It allows me to share some passwords with my family, and gives me access to the passwords from both my laptop and my phone. It also has “plugins” for common web browsers like Chrome, Firefox or Safari that make it easy and safe for 1Password to fill in your password on the web page when you need it.
Another very good commercial product is LastPass. This is very similar to 1Password, although the “business” versions provide a lot more sophisticated tools for managing passwords for a business or enterprise. My personal feeling is that for personal and family use 1Password is easier to use, but that is probably because I have used it for longer.
If you are looking for a free solution, I can recommend BitWarden. It can either just keep the password list on your laptop, or if you create an account through their site, can share to phones and other devices as well. Like the commercial products above, you can add it to your browser to make it easier to directly fill in login details on the web site. It’s not quite as polished as the commercial versions, and lacks some of the nice advanced features, but it’s a solid option.
Finally, there are KeePass and KeePassX, both of which are free, and only store passwords on your laptop. They are very similar — one is a variation of the other — but are less user friendly than BitWarden. Don’t let that deter you though, they are excellent and solid programs, albeit a bit more “technical” in their feel and behaviour.
An important caveat about all of these solutions: only download them from their official sites, the Apple Store, or Google Play . If you download them from somewhere else, you have no guarantees that you are getting the real program, and not some piece of malware from the bad guys that will steal your passwords.
I’ve had a few people over the past few years point out that their browsers — Safari, Chrome, Firefox and so on — offer to save passwords when they “notice” that you are logging in. This is true, and it’s certainly one way to keep a list of the passwords that you use, but I don’t recommend it. The biggest problem is that if someone can use your unlocked laptop (or phone) they will probably be able to see your passwords. This is particularly true for bad guys — one of the biggest drivers behind the market in stolen phones is not so the phone can be resold, but so that bad guys can try to harvest your passwords and other secret information from them. The password management in browsers also don’t help you do things like automatically generate strong passwords. Stick with one of the programs above.
- Use a long password.
- Never, ever, ever use the same password in different places.
- Use a password manager to store and generate long, strong passwords.
And one last final piece of advice that I will expand on next time — get in the habit of locking your laptop and your phone when you are not using them.
The last thing I will leave you with is this: The Code Book by Simon Singh. It’s a little bit dated now, but is a super readable introduction to the fascinating history of encryption and the never-ending battle between people who want to keep secrets, and people who want to know the secrets.